Unshackled: Wireless Administration

Some think administrators have all the luck. They’re kings of their castle with god-like rights over the corporate network. Right. Many fail to realize all the heartache and headaches that come with these rights. Phone calls or pagers going off in the middle of the night; users that want things done yesterday, and budgets that don’t even come close to covering what management wants out of their systems. Worse is the lack of freedom. Sure, you’re king in the network, but you’re also a prisoner, because most of the time you just can’t leave.

If this is your life and you want to get away from it, then wireless
systems administration might just be the ticket out. You probably already
own at least one wireless device, whether it be a RIM Blackberry, Palm
Pilot, Pocket PC, a new-fangled Smartphone or even a Tablet PC. With the
right remote administration tools and your wireless device, you could
leave the office and manage your systems as if you were there. Users and
managers wouldn’t even know you’ve left. How’s that for a deal?

Wireless Administration Coverage
We know what you’re thinking: How could I leave the office and administer
my systems remotely if wireless administration software doesn’t cover
everything I need to do? And you’re right. Wireless administration tools
just won’t cut it if they don’t cover the basics and more in terms of
systems administration. To be truly useful, wireless administration tools
should cover the following areas:

Generic Administration

User and Group administration

Server administration

PC/Mobile Device administration

Security Management

Server Role Administration

File & Print Servers (shared folder and printer administration)

Web Servers (IIS administration)

Collaboration Servers (Exchange administration)

Identity Servers (Active Directory administration)

Terminal Servers (Terminal Services administration)

Application Servers (SQL Server administration)

Infrastructure Servers (DNS, DHCP, WINS administration)

Ideally, remote administration tools would allow in-depth access to the tools required for most problematic situations. A tool that manages all the above activities would grant administrators the most freedom in their everyday tasks, but in some situations, a tool that manages at least each of the generic areas of activity can still offer a lot of value. Imagine: resetting user passwords while sitting in a meeting; creating new users while taking a technical course offsite; or even stopping and starting system services while on your way home. All you need is a) The right wireless device, b) A functional wireless carrier and c) The right remote administration tools.

For the first part, several wireless devices now support remote administration
(see “Wireless Devices Used”). For the second, you’ll need to
choose the right carrier. For the third, three tools are examined here:
MobileControl Administrator for Windows by ASG, sonicadmin by Sonic Mobility
and PocketAdmin for Windows by Expand Beyond.

Mobile Suite for Microsoft based
on XBAnywhere
version 2.3
The Mobile Suite (includes PocketAdmin for Windows and
PocketDBA for SQL Server) starts at $250 per server/minimum
10 servers.
Expand Beyondhttp://xb.com

ASG MobileControl Administrator for Windows
The Allen Systems Group (ASG) tries to cover end-to-end software solutions.
Many of these solutions have been added to the ASG roster through acquisitions.
Such is the case for ASG’s MobileControl Administrator (MCA) for Windows.
This tool focuses on remote systems administration for both generic activities
as well as specific server role administration.

MCA is easy to install. Simply double-click on the setup file, answer
a few questions and you’re up and running. Its best feature is the zero-footprint
client interface. Client access to the MCA console is through straight
HTTP, Secure HTTP (HTTPS) or Wireless Markup Language (WML). This means
that all the client devices need to do is know how to access and display
a Web page. This is a real boon. Simply make sure your client has Internet
access either through the General Packet Radio Service (GPRS) or an 802.11x
network, type in the address of the MobileControl Web page and off you
go. For access outside your private network, install a third-party Virtual
Private Network (VPN) client for added security, and you can use any public
wireless network. There is, however, a specific client for Pocket PCs
you can install. But since the Pocket PC can also access MCA through the
Web page, it seems pointless to bother.

Remote administration is simple and straightforward (see Figure 1): Simply go to the administration Web page and point-and-click. Logon is performed through an actual log onto the Windows server followed by the request of your PIN. Once you’re in, you’ll see that administration activities cover users, computers, servers and services, print and file servers, SQL Servers, servers running IIS and even devices running the Simple Network Management Protocol (SNMP). Most activities are point-and-click; very little typing is required. Computer, user and server administration screens include the ability to enumerate all devices so you don’t have to remember the exact spelling of an object name to access it. Administration works very well with all of the supported devices.

Figure 1. The ASG MobileControl Administrator
Interface consists of a simple Web page. It automatically adjusts
to the capability of your device’s Web browser to give you full access
to its complete feature set. (Click image to view larger version.)

MCA does have some drawbacks. In fact, it really seems more like a Windows NT tool than a post-Windows 2000 one because it doesn’t come with a Windows Installer-based setup. It also relies heavily on IIS. Additionally, its user and group management tools don’t really address AD management activities. Finally, though it works with either SQL Server 7.0 or 2000 in either the full or desktop editions, it doesn’t support Windows integrated authentication. This means assigning user rights through the SQL Server Enterprise Manager. You can, of course, choose to install the included Microsoft Desktop Engine (MSDE) version of SQL, but doing so will leave you with a blank system administrator password, something any admin worth his salt would find abhorrent. Lastly, authorization is performed on a user-by-user basis instead of through groups.

Overall, MCA is a good product that’s probably due for an upgrade—something
that ASG promises early next year—to integrate capabilities such as Group
Policy and AD management, as well as Exchange server administration. The
current version of MCA also supports the Telnet and secure shell (SSH)
access methods to servers, but since the Web connection supports the command
line, these may not be required. It relies on IIS, but this is a small
price to pay for zero footprint client installations.

Our
Test Devices

We ran all three packages on a Palm Tungsten
C, an HP iPaq HP4150, an Intermec CT60 WalkAbout Rugged
Tablet PC and a new Motorola MPx200 Smartphone that
accessed the MobileControl Web site through the AT&T
wireless network. Administering a server through a phone
takes a little getting used to, as typing and menu selection
isn’t all that easy, but it works fine once you get
the hang of it.

The advantage of the phone is that its network access
works anywhere a cellular phone does, making it more
practical in some ways than a Pocket PC or Palm Pilot,
unless of course, those devices include a GPRS card.

Sonic Mobility Sonicadmin
Sonic Mobility is completely focused on mobile software. The company’s
goal is to build mobile tools that respond to everyday situations. Sonicadmin,
its flagship remote administration tool, was even selected by DELL and
Microsoft to be part of a special remote administration offer for Windows
Server 2003 during its launch period. Unlike ASG’s MCA, sonicadmin requires
both a client and a server component. This means installing specific software
on the handheld device. On the other hand, Sonic Mobility produces clients
for most platforms including Palm (OS 5 and later), Pocket PC, RIM and
Blackberry devices—though not all of the latter are supported. Installation
is also straightforward since it requires the execution of a single file
on both servers and clients. The server installation file seems up to
date since it is in Windows Installer format. The same goes for the Windows
client.

Because it provides a special client, sonicadmin doesn’t rely on IIS. Instead, the client communicates over TCP port 8168. This means you must open this port on your firewall if you want to perform remote administration from outside your private network. The port number can be configured at installation to further reduce the risk of a security breach. Sonicadmin integrates with third-party software such as the Blackberry Enterprise Server—though this integration isn’t required to work with RIM or Blackberry devices—as well as software tools such as Opalis Robot and NetIQ AppManager.

Sonicadmin configuration is performed through a Microsoft Management Console (MMC) including a taskpad (see Figure 2).

Sonicadmin’s MMC-based interface lets you add authorized devices and users. Of note is the ability to configure authorizations through administrative roles and assign them to groups of users. This way you can allow help desk personnel to reset passwords, but not reboot servers. It also means support engineers to have proper remote administration rights. This role-based approach is akin to role-based server management, making it easier to assign appropriate rights to groups of administrators. The console also lets you designate managed systems, including systems that support command-line based management.

Once the system is properly configured, the next step is to install client software. Each client device must be cradled to support the software installation. The client device must have proper wireless access to the network to be able to support remote administration. To remotely manage a server, the client needs to first launch sonicadmin, authenticate the device to the sonicadmin server, then authenticate the user. Device authentication is required only the first time you log on. Once you’re in, you select the server to manage. Sonicadmin includes the ability to get all user, group and system objects, and has filters to make it easier to find specific objects in large networks. Of note is the ability to distinguish between local and domain users and groups. Unfortunately, since user creation is limited to new users only—like the two other tools—no template accounts can be used.

Sonicadmin offers complete access to services, processes, and event logs. Administration through the client is simple and straight forward, and works through any Internet connection to your server. The client interface is lightweight and well designed for each device we looked at; unfortunately, we weren’t able to test the RIM or Blackberry interfaces.

Sonicadmin seems more modern than MobileControl Administrator. It provides
its own level of security, and because of its integration with SecureID,
gives more secure access to servers. Its basic requirement for both device
and user authentication makes it more secure by default. It doesn’t support
SQL Server or IIS except through the command line, though it does provide
a very useful and powerful Exchange administration component. Of note
is the ability to integrate with X-10-enabled power management devices
through its powerrover feature. If your hardware supports the standard,
you can even use sonicadmin to remotely control electrical devices, setting
back or raising the heating and air conditioning controls in the server
room, for instance.

Expand Beyond PocketAdmin for Windows
Like Sonic Mobility, Expand Beyond is completely dedicated to mobile technologies.
It provides two mobile administration products: PocketAdmin for Windows
and PocketDBA. As its name implies, the latter focuses on SQL Server,
Oracle or Teradata database administration. Both products are bundled
through the Mobility Suite for Microsoft, though only PocketAdmin for
Windows is evaluated here. Installation of the server component is very
straightforward, and is based on ZeroG’s InstallAnywhere. The two other
products used Wise Solutions’ Installer. This is probably because Expand
Beyond products work with both Java runtimes and the .NET Framework.

Obtaining the software isn’t easy. First you need a serial number to access the download area. Next, you need a hardware-specific license file based on the destination server’s Media Access Control (MAC) address for installation. This does limit possibilities since you have to contact Expand Beyond technical support if you need to move the product from one server to another. And you must have the serial number to access updates and documentation on the Web site. In addition, you’ll need a whole slew of components to get the software to work. It’s highly recommended to fully read the documentation before installing. It’s true that this should be a best practice in any situation, but honestly, who really does this in a test environment? Once you figure out how it works, installation is actually fairly straightforward.

PocketAdmin requires a few components to work. The first is the XBAnywhere server. This is the administrative component that allows pocket devices to access remote administration. XBAnywhere is based on the Apache Tomcat Web server, automatically installed during the installation of the server component. In addition, you’ll need the Windows Gateway application, which connects to an AD domain. Expand Beyond components require a Java runtime—also automatically added—but rely on the .NET Framework to access Windows Management Instrumentation (WMI). This complex architecture is probably because it also supports remote administration of UNIX and Linux environments.

PocketAdmin for Windows includes client components which can be installed on either Pocket PC or Palm devices, but these aren’t absolutely required, since either device can use a Web connection to access the management site (see Figure 3).

Figure 3. The PocketAdmin for Windows Interface
is very clean and easy to use. The toolbar on the left gives fast
access to each of the administration tools. (Click image to view larger
version.)

RIM and Blackberry device support should be available in early 2004.
To ensure secure access, you can use either a Secure Sockets Layer (SSL)
certificate or a VPN connection, though the Microsoft VPN included in
Pocket PCs doesn’t work with PocketAdmin. As with sonicadmin, you can
also integrate PocketAdmin with RSA Security Inc.’s SecurID for two-factor
authentication.

Once you’re connected, you’ll find a simple and straightforward administration interface. PocketAdmin lets you control both domain and local accounts. Once again, domain account creation is ad-hoc and can’t be based on templates. Though PocketAdmin works with AD, it lets you input very little information about users when creating their accounts. Of note is the easy-to-use interface. Simply point and click on one of the icons in the left hand toolbar and you’ll change management category. Though PocketAdmin works with Windows 2003, it sometimes gives error messages when performing administrative tasks. Despite this, the operations actually work. This is something Expand Beyond promises to fix in a future release.

The PocketAdmin toolbar covers most common administrative tasks such
as print, file, folder and user and group management. For additional tasks,
you can use the secure shell interface to access a command line and launch
additional applications or scripts. Overall PocketAdmin is simple to use,
if not to install, and provides as complete a set of functionalities as
the other two products reviewed.

Testing wireless administration requires
a lab that covers the gamut of wireless devices, or at
the very least each wireless device your organization
uses. And it must have a wireless access point. Since
the industry is working to establish more stringent wireless
security protocols, you should aim to use these to secure
your wireless communications. This is why we used Wi-Fi
Protected Access (WPA) for 802.11x communications.

WPA has two basic functions. First, it protects data
during transition in a more secure fashion than the
Wired Equivalent Privacy (WEP). Second, it provides
secure access control and authenticates users. The latter
is provided by an authentication mechanism based on
the Extensible Authentication Protocol (EAP) that runs
on Remote Authentication Dial-In User Service (RADIUS)
servers. For Windows networks, this means using the
built-in Internet Authentication Service (IAS), possibly
along with the Windows Server Public Key Infrastructure,
to support authentication.

For small businesses that must do without these complex
infrastructures, WPA supports a special Pre-Shared Key
mode that works with manually-entered keys or passwords.
These keys are entered in each device. Once this is
done, the WPA dynamic encryption key exchange process
begins. WPA uses dynamic encryption keys through the
Temporal Key Integrity Protocol (TKIP), another specification
that has yet to be approved (expected in 2004). Finally,
WPA uses “Michael,” a special message integrity check-sum
that will help limit interception and decoding of TKIP
keys. We used the pre-shared key mode for simplicity.

There were four servers to be administered, all running
various editions of Windows Server 2003. The core server
running the remote administration tools was installed
with Windows Server 2003 Enterprise Edition. Client
devices included one Windows XP workstation, one Palm
Tungsten C device supporting 802.11b, one HP iPaq HP4150
device running the Pocket PC operating system with 802.11b
and Bluetooth connectivity, one Intermec CT60 Rugged
Tablet PC with 802.11b and one Motorola MPx200 Smartphone
from AT&T.

Palm Tungsten C
If you’re used to a Palm Pilot, you will probably find
yourself constantly looking for the Grafitti input area
when working with the Tungsten C. That’s because this
device is one of the first Palm devices to come with
an integrated keyboard, which takes a little getting
used to. But with its integrated 802.11b wireless networking,
the Tungsten C quickly makes you forget all about Graffiti.
The keyboard is actually one aspect that gives the Tungsten
C a “thumbs up” for remote administration. In fact,
it’s a lot easier to use it to type in user names and
other values when testing the remote administration
tools than either the Smartphone or the Pocket PC.

Palm Tungsten C

If Palm is your thing, this is a great model. No need
to learn how to write Graffiti, access to Word and Excel
documents, along with links to the Internet and e-mail
wherever there is Wi-Fi access, make this a keeper.

HP iPaq HP4150
This iPaq is one of the thinnest and lightest devices
on the market. It’s hard to believe it also integrates
both Bluetooth and Wi-Fi connectivity. It sports a very
nice design and includes a comprehensive series of applications.
One of its nicest features is the removable battery,
making it very easy to carry spares for extended operation.
It worked very well with the remote administration tools
we tested.

HP iPaq HP4150

The iPaq comes packed with applications that make it
very useful on the road. It takes a little time to get
used to the Pocket PC software interface, but those
familiar with Windows will pick it up in a jiffy. This
is a great wireless device that provides a powerful
package in a very small form factor.

Intermec CT60 WalkAbout Rugged
Tablet PC

Intermec CT60 WalkAbout Rugged
Tablet PC
Remember the days of yore when everyone thought we’d
soon get the “paperless” office? Well, they’re not far
off now with the coming of Tablet PCs. The Intermec
WalkAbout may be one of the devices that heralds its
coming. This rugged tablet sports integrated Wi-Fi access
in a small and useful format.

The WalkAbout includes two batteries for extended operation.
And it supports docking and undocking without turning
off the system. The nicest part of this product is its
rugged aspect. Who hasn’t dreaded dropping a portable
system whenever they need to move it in a hurry? Well,
you can drop this one without too many worries—it’s
passed MIL850 testing (for military standards), making
it ready for just about anything. The Tablet PC operates
very much like any Windows XP machine, so very little
training is required.

Motorola MPx200 Smartphone

One thing you won’t do with this device is carry it
in the palm of your hand, since it does weigh in at
5.5 pounds with its two batteries. It includes a hand
harness so you can hold it in one hand while using it
with the other, but not for long periods of time. But
if you need a Tablet PC, consider a rugged edition;
it will no doubt last much longer.

Motorola MPx200 Smartphone
The neatest device we tested was the Motorola Smartphone.
We’ve used a lot of wireless phones, but never one this
practical. It’s really easy to save and store numbers,
view calls both outgoing and incoming, and access all
of the standard Pocket PC features. This flip phone
sports two displays: An interior high-resolution color
display very much like any other Pocket PC device, and
an exterior LED that announces callers, gives date and
time and other system information when the phone’s closed.

The phone works like any other Pocket PC device. The
carrier, AT&T, includes special features for the support
of e-mail, games and other wireless essentials. Navigating
and operating a Pocket PC with only phone controls does
take a little getting used to, but once you’ve started
you won’t want to go back. This is one device that integrates
a personal digital assistant with a mobile phone very
well.

—Danielle Ruest and Nelson Ruest

Sizing Them Up
Choosing between the three remote administration tools won’t be easy.
Overall, each product has strong, but similar feature sets. MobileControl
Administrator is interesting since it seems to offer all features in one
single package, is simple to install and configure, and doesn’t require
a client installation. On the other hand, you’ll require a separate solution
to secure external communications. Sonicadmin requires a client install,
but provides a more secure interaction on its own. Like MobileControl
Administrator, sonicadmin also supports some RIM and Blackberry devices
which extends its wireless reach. PocketAdmin for Windows doesn’t necessarily
require a client install, but like MobileControl Administrator, requires
a third-party solution for secure operation. On the other hand, XBAnywhere
supports the administration of Windows, Linux and UNIX servers, so if
you manage a heterogeneous environment, this might be the ideal tool.

If you need to acquire a mobile Windows administration solution immediately,
and don’t mind waiting for the update, you can select MobileControl Administrator
for Windows now and upgrade later to gain more functionality. If you want
a more secure solution out of the box, then choose sonicadmin. If you
need heterogeneous systems management, PocketAdmin for Windows is your
best bet.

Online
Resources

See more about role-based server administration
in “Windows Server 2003 Pocket Administrator” by Ruest and Ruest from Osbornewww.Reso-Net.com/PocketAdmin.

Table 1.Wireless
Administration Tasks—Use this information to identify which
tool offers the administrative coverage you need. A missing feature
may not have an impact if you don't require management of that particular
server role.

Table 2.Wireless
Administration Tool Criteria—With the coming of Windows Server
2003, tools that make use of the .NET Framework will be more popular
because it's integrated into the OS. Tools that have a zero footprint
on wireless devices may also be more popular since no installation
is required. But the tool you choose must also support all the administration
tasks you have to handle. Use this table with Table 1 to identify
the tool that best suits your environment.